[RADIATOR] PEAP / MSCHAPv2 NTLM Auth + additional LDAP attribute check

Onno Witvliet onno.inh at gmail.com
Wed May 11 11:48:26 CDT 2011 

Hello all,

I'm trying to configure Radiator to authenticate our users with PEAP / MSCHAPv2.

We're running Radiator on Linux and we want to authenticate against MS
Active Directory.

The authentication with NTLM works fine, but we want to check if the
user is allowed to use
the wireless network by checking the msNPAllowDialin property in
Active Directory.

As far as I can tell, for this additional check to work, I need to
query AD via LDAP
for the property msNPAllowDialin and check the value of the property.

I've tried several things, but I can't figure out how I can query the
AD via LDAP, without Radiator
trying to authenticate the LDAP query with MSCHAPv2 (with
Access-Reject as a result)

I'm trying to use PostSearchHook to check if msNPAllowDialin exists
and if the value equals YES
to return an Access-Accept, else return Access-Reject

I've 3 questions:

1) Is this the right approach to solve this problem
2) How can I query via LDAP without (EAP) authentication
3) How can I return Access-Accept / Access-Reject from the PostSearchHook

Any hints would be appreciated.

Regards,

Onno Witvliet
Hogeschool Inholland
The Netherlands


Overview config:

<AuthBy FILE>
  Identifier outer-tunnel-auth

  Filename %D/dot1x_anon

  EAPType PEAP

  # Certificates
  EAPTLS_CAFile /etc/radiator/certificates/ca.pem
  EAPTLS_CertificateFile /etc/radiator/certificates/server.pem
  EAPTLS_CertificateType PEM
  EAPTLS_PrivateKeyFile /etc/radiator/certificates/server.key
  EAPTLS_MaxFragmentSize 1000

  EAPTLS_PEAPVersion 0

  AutoMPPEKeys
</AuthBy>

<AuthBy NTLM>
  Identifier    AuthNTLM

  EAPType      MSCHAP-V2
  Domain        DOMAIN
  NtlmAuthProg  /usr/bin/ntlm_auth -s /etc/samba/our-winbindd.conf
--helper-protocol=ntlm-server-1
  UsernameMatchesWithoutRealm
</AuthBy>

<AuthBy LDAP2>
  Identifier    AuthLDAP
  Host          x.x.x.x

  AuthDN        cn=admin,dc=domain,dc=nl
  AuthPassword  secret

  BaseDN        ou=users,dc=domain,dc=nl
  UsernameAttr  sAMAccountName
  PasswordAttr

  AuthAttrDef   msNPAllowDialin,GENERIC,request

#  PostSearchHook sub { my $attr = $_[4]->get('msNPAllowDialin'); \
#    $_[3]->get_reply->add_attr('Dialin-Allowed', 1); }

  Debug 255
</AuthBy>

<Handler User-Name=/.+ at domain.nl)/>
  Identifier outer-handler

  AuthBy outer-tunnel-auth
</Handler>

<Handler TunnelledByPEAP=1>
  Identifier inner-handler

  <AuthBy GROUP>
    AuthByPolicy ContinueUntilReject

    # Authenticate against AD with ntlm_auth
    AuthBy AuthNTLM

    # check msNPAllowDialin property against AD with LDAP
    AuthBy AuthLDAP
  </AuthBy>
</Handler>

More information about the radiator mailing list